The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

+

The SPAN feature allows traffic to be mirrored from within a switch from a specified source to a specified destination. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

* An interface cannot be configured as both a source and destination interface.

* An interface cannot be configured as both a source and destination interface.

-

* An Ethernet sub-interface cannot be configured as a source or destination interface.

+

* Ethernet and Port-Channel sub-interfaces cannot be configured as source or destination interfaces. When configuring a source interface, specify the primary interface as the source interface and use the <b>filter-vlan</b> command to specify the 802.1q tag associated to the sub-interface.

* The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All traffic to and from the CPU for all VDC's is visible.)

* The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All traffic to and from the CPU for all VDC's is visible.)

* The source traffic direction can be configured as '''rx''', '''tx''', or '''both'''. The default is '''both'''.

* The source traffic direction can be configured as '''rx''', '''tx''', or '''both'''. The default is '''both'''.

Line 51:

Line 51:

<font size = "3">'''Configuration Comparison'''</font>

<font size = "3">'''Configuration Comparison'''</font>

-

The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to the Cisco NX-OS Software. Older versions of Cisco IOS Software only support a flat configuration.

+

The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software release 12.2SXH, so its hierarchy is similar to the Cisco NX-OS Software. Older versions of Cisco IOS Software only support a flat configuration.

Latest revision as of 22:29, 7 February 2011

Objective

This tech note outlines the main differences in the Switched Port Analyzer (SPAN) between Cisco® NX-OS Software and Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

SPAN Overview

The SPAN feature allows traffic to be mirrored from within a switch from a specified source to a specified destination. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software release 12.2SXH and later.

A single SPAN session can include mixed sources (Ethernet ports, Ethernet Port-Channels, RSPAN sources, VLANs, and the CPU control-plane interface).

Destination SPAN interfaces must be configured as a layer-2 interface with the switchport and the switchport monitor interface commands.

The SPAN feature supports stateless and stateful process restarts.

Things You Should Know

The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.

Two active sessions are supported for all virtual device contexts (VDCs).

128 source interfaces can be configured per session.

32 source VLANs can be configured per session.

32 destination interfaces can be configured per session.

Monitor sessions are disabled by default. They can be enabled with the no shut command.

An active SPAN session uses hardware resources and should always be disabled with the shut command when monitoring is not required.

The supervisor module management interface (mgmt0) cannot be configured as a SPAN source or destination interface.

An interface cannot be configured as both a source and destination interface.

Ethernet and Port-Channel sub-interfaces cannot be configured as source or destination interfaces. When configuring a source interface, specify the primary interface as the source interface and use the filter-vlan command to specify the 802.1q tag associated to the sub-interface.

The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All traffic to and from the CPU for all VDC's is visible.)

The source traffic direction can be configured as rx, tx, or both. The default is both.

When a VLAN is specified as a source, traffic to and from the layer-2 physical interfaces associated to the specified VLAN are sent to the SPAN destination (Ingress and egress traffic between SVI/VLANs are not captured if the traffic does not go in our out a physical interface).

By default, SPAN does not copy the IEEE 802.1q tag from trunk source interfaces.

A destination interface can be configured in switchport access or switchport trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.)

A destination interface does not participate in a spanning-tree instance.

A destination interface can be configured with the switchport monitor ingress interface command to allow the destination device (IE: IDS) to disrupt packet flows.

A destination port can be configured in only one SPAN session at a time.

ERSPAN is VRF aware. The vrf command can be configured under the monitor session to specify which VRF instance the source and destination addresses belong too.

An ERSPAN source can be configured with an extended ACL to preserve bandwidth by filtering unwanted traffic prior to sending the interesting traffic to the remote destination.

Configuration Comparison

The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software release 12.2SXH, so its hierarchy is similar to the Cisco NX-OS Software. Older versions of Cisco IOS Software only support a flat configuration.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring the Destination Switchport Mode

Cisco IOS Software does not require any destination port configuration.

interface ethernet 2/2

switchport

switchport monitor

Configuring Destination Port Ingress Forwarding and Learning

monitor session 1 type local

destination interface gigabitethernet2/2 ingress learning

interface ethernet 2/2

switchport

switchport monitor ingress learning

Configuring a SPAN Monitor (Ethernet Source and Destination)

monitor session 1 type local

source interface gigabitethernet 2/1

destination interface gigabitethernet 2/2

no shutdown

monitor session 1

source interface ethernet 2/1 both

destination interface ethernet 2/2

no shut

Configuring a SPAN Monitor (VLAN Source)

monitor session 1 type local

source vlan 10 , 20 both

destination interface gigabitethernet 2/2

no shutdown

monitor session 1

source vlan 10,20 both

destination interface ethernet 2/2

no shut

Filtering VLANs for IEEE 802.1q Trunk Sources

interface gigabitethernet 2/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-20

switchport mode trunk

monitor session 1 type local

filter vlan 15 - 20

source interface gigabitethernet 2/1

destination interface gigabitethernet 2/1

no shutdown

interface ethernet 2/1

switchport

switchport mode trunk

switchport trunk allowed vlan 10-20

monitor session 1

source interface ethernet 2/1 both

destination interface ethernet 2/2

filter vlan 15-20

no shut

Configuring a SPAN Monitor (CPU Source)

monitor session 1 type local

source cpu rp rx

destination interface gigabitethernet 2/2

no shutdown

monitor session 1

source interface sup-eth0 rx

destination interface ethernet 2/2

no shut

Configuring an ERSPAN Monitor (Source)

monitor session 1 type erspan-source

source interface gigabitethernet 2/2

destination

ip address 192.168.2.1

origin ip address 192.168.1.1

erspan-id 1

no shutdown

monitor erspan origin ip-address 192.168.1.1 global

monitor session 1 type erspan-source

destination ip 192.168.2.1

erspan-id 1

vrf default

source interface ethernet 1/26 both

no shut

Configuring an ERSPAN Monitor (Destination)

monitor session 1 type erspan-destination

destination interface gigabitethernet 1/26

source

ip address 192.168.2.1

erspan-d 1

no shutdown

interface ethernet 1/26

switchport

switchport monitor

monitor session 1 type erspan-destination

source ip 192.168.2.1

destination interface ethernet 1/26

erspan-id 1

vrf default

no shut

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.